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Abstract 

We derive a new bound for some bilinear sums over points of an 
elliptic curve over a finite field. We use this bound to improve a series 
of previous results on various exponential sums and some arithmetic 
problems involving points on elliptic curves. 
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1 Introduction 

Let q be a prime power and let 8 be an elliptic curve defined over a finite 
field ¥ q of q elements of characteristic p > 5 given by an affine Weierstrafi 
equation 

£: Y 2 = X 3 + AX + B 
with some A, B e ¥ q , see j2J H [23] . 
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We recall that the set of all points on 8 forms an abelian group, with the 
"point at infinity" O as the neutral element, and we use © to denote the 
group operation. In particular, we sometimes work with group characters 
associated with this group. 

As usual, we write every point P ^ O on £ as P = (x(P),y(P)). Let 
£{¥ q ) denote the set of F g -rational points on S. We recall that the celebrated 
result of Bombieri [5] implies, in particular, an estimate of order q 1 / 2 for 
exponential sums with functions from the function field of £ taken over all 
points of £(F g ). More recently, various character sums over points of elliptic 
curves have been considered in a number of papers, see [H [3j [7J |9j [TOj [131 
HU [TJ)J dni [TO [333 |2T] and references therein; many of these estimates are 
motivated by applications to pseudorandom number generators on elliptic 
curves [22]. 

We fix a nonprincipal additive character ip of ¥ q . All our estimates are 
uniform with respect to the additive character ip. 

Let G G £{¥ g ) be a point of order T, in other words, T is the cardinality 
of the cyclic group (G) generated by G in £(¥ q ). 

Given two sets A,BC.Z^,,ia the unit group of residue ring Z T modulo 
T, and arbitrary complex functions a and /3 supported on A and B with 

\at a \ < 1, a & A, and < 1, b G B, 

we consider the bilinear sums of multiplicative type: 

U a ,^,A,B;G) = J2J2 a «M( x ( abG V- W 

Furthermore, given two sets V, Q C £(¥ q ) and arbitrary complex func- 
tions p(P) and ~&(Q) supported on V and Q we consider the bilinear sums of 
additive type: 

V P ,M, P,Q) = EE p(P)&{Q)il>{x(P © Q)). (2) 
PePQeQ 

Bounds of the sums U a ^(^, A, B; G) and V P} ^(t/), V, Q) are proved in [U [3] 
and [19] , respectively, where several applications of these bounds have been 
shown. 

Here we improve the bound of [19] and use it with the bound of [I], and 
also with some additional arguments, to refine a series of previous results. In 
particular, we give improvements: 
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• of the elliptic curve version of the sum-product theorem of |20j ; 

• of the bound of character sums from [15] with a sequences of points of 
cryptographic significance; 

• of the bound of character sums from [21] with linear combinations of 
x(P) and x{nP) for P G £{¥ q ); 

Throughout the paper, any implied constants in the symbols O and <C 
may occasionally depend, where obvious, on the integer parameter v > 1 
and real parameter e > 0, but are absolute otherwise. We recall that the 
notations A C B and A = 0(B) are both equivalent to the statement that 
the inequality \A\ < cB holds with some constant c > 0. 

2 Preparations 

2.1 Single sums 

We recall the following special case of the bound of [T31 Corollary 1]: 

Lemma 1. Let £ be an ordinary curve defined over ¥ q and let G G £{¥ q ) be 
a point of order T. Then for any group character x on £(F q ). 

J2*P( X (nG))x(G)<^q 1 / 2 , 

2.2 Bilinear sums of multiplicative type 

We recall the bound of [1, Theorem 2.1] on the sums (JTJ: 

Lemma 2. Let £ be an ordinary elliptic curve defined over ¥ q , and let G G 
£(¥ q ) be a point of order T. Then, for any fixed integer v > 1, uniformly 
over all nontrivial additive characters ip of¥ q , we have 

U a ^,A,B; G) 

< (SA) l ~ lt2V {#B) i-V^+^T Q g q \ V(f +2) _ 
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2.3 Bilinear sums of additive type 

For the sum (J2J) it is shown in [19] that if 

max|p(P)|<l and max < 1 

Pev QeQ 

then for any fixed integer v > 1 we have 

V p ,4^, V, Q) « (#V) x - xj2v {m) Xl \ Xj2v + (#P) 1 - 1/2 ^#Qg 1/4 ^. (3) 

Here we obtain a different bound which is stronger than ([3]) in several cases 
(for example, when j^V = #<2). 

Theorem 3. Let £ be an ordinary elliptic curve defined over ¥ q and let 
J2\P(P)\ 2 <R and ^|W)| 2 <T. 

PeV QeQ 

Then, uniformly over all nontrivial additive characters ipof¥ q , 

\V P ,^,V, Q)\ < 

Proof. Let X be the set of group characters on £(F q ). We collect the points 
P and Q with a given sum S = P ® Q and identify this condition via the 
character sum over X. This gives 

Se£(¥ q ) PeV QeQ ^ q > x ^x 

Therefore 

^ ^ q > xexse£(¥ q ) 

E^( p M p )E^M^- 

Per QeQ 
The sums over S is 0(q l l 2 ) by Lemma dj so 

QeQ 
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,1/2 



#£(F«) 



E 

\ex 



E M p )^( p ) 



We now use the Cauchy inequality, getting 



since 



E 



E p( p MP) 



Pev 



Z>(Q)x(Q) 



E p( p M p ) 



PeP 



E 

X6* 



E^)x(Q) 



< #£(W q ) 2 RT, 



E 

X6* 



E p( p M p ) 



PeP 



E p(Pi)p(p 2 )E^ p i Qp 2) 

Pi,P2eP xe^ 

#£(F g )Elp(^)l 2 <#£(^R 



PeP 



Similarly, 



E 

X6* 



< #^(F 9 )T, 



and the desired result now follows. 



□ 



3 Combinatorial Problems 

3.1 Sum-product problem for elliptic curves 

In [20] , for any sets 1Z, S C £ it is shown that 

#W#V » min{g#ft, ^llf^Sq- 1 ' 2 }, 



where 



U = {x(R) + x(S) : ReTZ, SeS}, 
V = {x(R®S) : R e 7Z, SeS}. 



(4) 



(5) 



Clearly 01]) implies that at least one of the sets U and V is large. 

The main ingredient of the proof of @ in [20] is ([3]) . Using Theorem [3] 
in the argument of [20J one immediately derives the following improvement 
on (U: 
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Theorem 4. Let £ be an ordinary elliptic curve defined over ¥ q and let 1Z 
and S be arbitrary subsets of £{¥ q ). Then for the setslA andV, given by §J5§, 
we have 

#W#V » min{g#ft, V 1 }. 

3.2 Sarkozy problem for elliptic curves 

In [19], the number of solutions M(S, T,U, V) of the equation 

x(S) + x(T) = x(U © V), S G <S, T G T, U eU, V G V, 
for any sets S, T,W,VC £0Fg) is estimated. It is shown that if 
#5#T#W#V > q 7 ' 2+£ , e > 0, 

then 

M(S,T,U,V) = (l + 0(q-^ 2 )) # S # T # U # V . (6) 

The result above is the elliptic curve analogue of a result of A. Sarkozy [TS] 
regarding the number of solutions N(A, B, C, V) of the equation 

a + b = cd, a G A, b G B, c G C, d G V, 

for sets A,B,C,V C ¥ q . 

In [19], the asymptotic formula <Q is proved using fl3]). Now, using Theo- 
rem [31 the following improvement on ([6]) is immediate. The proof is omitted 
as it is completely similar to the proof given in |19j . 

Theorem 5. Let £ be an ordinary elliptic curve defined over¥ q . Then for 
every e > and arbitrary sets S, T,U,V C £(F q ) with 

#5#T#W#V > g 3+£ , e > 

we have 

M(S,T,U,V) = (l + 0(g-^)) * S * T * U * V . 
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3.3 Distribution of subset sums 



Let P G S(¥ q ) be an F g -rational point on an elliptic curve £ over F 9 , and 
a be an endomorphism on S. Also, let Aik be the set of k- dimensional 
vectors with coordinates 0, ±1 which do not have two consecutive nonzero 
components, that is, 

fijfij+i = 0, for all j — 0, . . . , k — 2. (7) 

Motivated by applications to pseudo-random number generation, the set of 
points 

fc-i 

P*,m = ^2vj<7 j ( p ), m = (to, • • • , f*k-i) e M k , (8) 

3=0 

where a is an endomorphism of the elliptic curve S have been considered 
in [15]. 

In [15], three specific endomorphisms are considered. The first endomor- 
phism considered in [15] is the doubling endomorphism 5(P) = 2P which is 
defined for any elliptic curve over any finite field. 

The second endomorphism considered in [15J is the Frobenius endomor- 
phism of the so called Koblitz curves. A Koblitz curve, £ a , a G F2, is given 
by the WeierstraB equation 

£ a : Y 2 + XY = X 3 + aX 2 + 1, 

(see [12]) and its Frobenius endomorphism <p, which acts on a ¥2^ -rational 
point P = (x,y) G f a (F 2 n) is given by 

p(P) = (x 2 ,y 2 ). 

Clearly tp{P) G S a (¥ 2 ^. 

Finally, as in [15], we consider one of the so-called GLV curves introduced 
by Gallant, Lambert and Vanstone [UJ, which we detail below. 

Let the characteristic of ¥ q be a prime p > 3 such that —7 is a quadratic 
residue modulo p (that is, p = 1, 2, 4 (mod 7)). Define an elliptic curve £glv 
over ¥ p by 



S GLV : Y 2 = X 3 - -X 2 -2X-1. 



4 

Let £ G ¥ p be a square root of —7. If b — (1 + £)/2 and c = (6 — 3)/4, then 
the map defined in the affine plane by 

; 2 — b y(x 2 — 2cx + b) 



6 2 (x — c) ' b 3 (x — c) s 
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for P = (x,y) G Sqlv, is an endomorphism of £glv- 

In [IS], it has been shown that under mild conditions, the points (|SJ) 
possess some uniformity of distribution properties, where a is one of the 
following endomorphisms: 

{5, for an arbitrary curve £, 
cp, for a Koblitz curve £ = £ a , a = 0, 1 (9) 
ip, for the GLV curve £ = £glv- 

Here, using Theorem [3] we improve the result of [12] in some ranges of 
parameters. 

First we need the following estimate on j^M. k given by Bosma [6j Propo- 
sition 4]. 

Lemma 6. For any k > 2, we have: 

#M k = ^2 k + 0(l). 

For an endomorphism a of an elliptic curve £ over ¥ q and a nonprincipal 
additive character if> of ¥ q , we define the exponential sum 

where we always assume that the value of the character is defined as zero if 
the expression in the argument is not defined (for example, if P CT)m = O in 
the above sum). 

It is shown in [T51 Lemma 2.1] that if P G £(F 9 ) is of prime order I then 
for any integer h > 1 the bound 

\s„M\ « #M k (y/4, r i/2, + 2 - k /2v q (u+iy^ (10) 

holds with any fixed integer 

logg 

v > , 

~ 2A;log2' 

where a is one of the endomorphisms ([9]). 

Given an endomorphism a of an elliptic curve £ over ¥ q , and an integer 
k > 1, we denote by N a ±(Q) the number of representations 

P*,m = Q, m = (mo, • • • G M k . 

We recall [151 Lemma 2.1]: 
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Lemma 7. Let £ be an ordinary elliptic curve defined over ¥ q and let P G 
£{¥ q ) be of prime order i. Then for any positive integer k and for every 
point Q G £{¥ q ) the bound 

N a , k (Q) «2 fe T 1 + l 

holds, where o is one of the endomorphisms . 

We now obtain a bound that improves ffTUj) for some values of parameters 
(namely for large k and £). 

Theorem 8. Let £ be an ordinary elliptic curve defined over ¥ q and let 
P G £(¥ q ) be of prime order I. Then for any integer k > 1 the bound 

\S a>k ( x )\ « #X A g 1/2 r 1 + (#A4 fc ) 1/a ? 1/a 
holds where o is one of the endomorphisms . 

Proof Let us choose r = \k/2] . For j — 0, 1 we define Uj to be the subset of 
u = (ui, . . . , u r ) G Ai r with u T = ±j. To form a vector in A4fc, a vector from 
W can be appended by any vector from Vo = Aik-r, while a vector from U\ 
requires the following digit to be zero. Hence, we put 

Vi = {(0,w) : w G Mk-r-x}. 

We have 
where 

R °j = EE^ z ( p <^ + ^ p ^))) , 3 = 0, i. 

We now consider the sets 

X J = {P^ : ueU,} and ^ = K(P a , v ) : v G V,}. 
Using Lemma [71 we see that we can write 

R °j =EE M(X)N(Y) X (x (S + T)) , j = 0, 1. 

with some positive coefficients M(X) and N(Y) such that 

M(X) < 2 r r x + 1 and N(Y) < 2 fc " r r 1 + 1. 
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We also trivially have 



£ M{X) = #Uo and N ^ = * V r 



Therefore 



M{Xf < #Uj (2 r r 1 + 1) and £ N(Y) 2 = #V, (2*~ r r 1 + l) . 
x&Xj Yay 3 

Therefore, by Theorem |3l we derive 



« ^g(2^-! + l){2 k -'l^ + l)#Uj#Vj, j = 0, 1. 
Clearly #Uj#Vj < j^M-k <C 2 fc . Furthermore, by the choice of r 

(2 r r 1 + i)(2 fc ~ r r 1 + 1) < (2 fe/2 r 1 + 1) 2 < 2 fc r 2 + 1. 

And thus 

|i? CTJ |«g 1 / 2 2 fe r 1 + g 1 / 2 2 fe / 2 , j = 0,l, 
which concludes the proof. □ 

Clearly, if for some fixed e > we have £ > q x l 2+e and 2 k > q 1+£ , then the 
bound of Theorem [H] is nontrivial. As in [T51 Section 4] , we can now use this 
bound in various questions about the distribution of x(P a ^ m ) for m 6 A4k- 



4 Sums Over Consecutive Intervals 

4.1 Stationary phase sums 

For an integer n and a, b e F 3 , we now consider the sums 

S n (if>;a,b) = if) {ax{P) + bx{nP)) . 

Pe£(F q ) 

As it has been mentioned in [21], it follows from a much more general result 
of Corollary 5] that if at least one of a and b is a non-zero element of F 9 
and n > 0, then 

S n (^;a,&) = 0(ny/ 2 ). (11) 
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Furthermore, in [2T], the following two bounds are given: 

S n (ip; a, b) < q 3/2 /d, 



(12) 



and 

S n (i/>;a,b) <gd- 1 / 2 + g 3 / 4 , (13) 

where d = gcd (n, #£(F g )). The above bounds improve on ( TTTj) when d is not 
very small. The bound ( IT2|) is nontrivial whenever d/q 1 ^ 2 — » oo as g — > oo. 
The bound (fTBl) is nontrivial for d — > oo as q — > oo, however it is weaker than 
the first bound for d > g 3//4 . 

In [21], the bound (jBJ) is used to obtain ( ITBl . Here we use Theorem [3J to 
improve on the bounds ( ITS]) and f|T3|) . Although the proof of the new bound 
is quite similar to the proof given in [21], here, for the sake of completeness, 
instead of referring for details to [21] we give a complete proof of this bound. 

Theorem 9. Let£ be an ordinary elliptic curve defined over¥ q and letn > 
be an arbitrary integer. Then for any a e F* and 6 G F 9 , we have 

S n {ifj\a,b) < qd~ 1/2 , 

where d = gcd (n, #£(W q )). 

Proof. Let Tid C £ (F 9 ) be the subgroup of f (F g ) consisting of the (i-torsion 
points Q G £(F 9 ), that is, of points Q with = O. 

It is well-known, see j2j HJ [23], that the group £(F 9 ) is isomorphic to 

5(F,) = Z M x Z L (14) 

for some unique integers M and L with 

L | M, LM = £(¥ q ), L\q-1. (15) 

Since d \ #£(F q ) we see from (1T4"1) and ( TTBT) that we can write d = d\d<i 
where d\ = gcd(rf, M) and d 2 \ d\. It is now easy to see that 

> d, (16) 

(clearly is a subgroup of the group £[d] of c?-torsion points on £ , thus we 
also have #U d < d 2 , see [21 H [23]). 
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For any point Q G S(W q ) we have 

S n (ip;a,b)= 4> (ax(P ® Q) + bx(n(P ® Q))) . 

P££(V q ) 

Therefore, we obtain 

S n (^a,b) = ^7- E E i>(ax(P®Q) + bx(n(P®Q))) 

ft d Q&H d P€S(F q ) 

= ikr E E ^M^©G) + M»p)) 

= E E ^(bx(nP))^(ax(P®Q)). 

Now applying Theorem [3] with P = £(F q ) and Q = "H^, we have 
l^(^a,6)|«-^-(g 2 #%) 1/2 « 



which concludes the proof. □ 

Note that for d < q, Theorem [9] is an improvement on ffl2l) and ([TBI . If 
d > q, then from the fact that #£(F q ) < q + 1 + 2^, see [231 Chapter 5, 
Theorem 1.1], it follows that d = #£(F q ) and hence in this case from ( fl2i) 
and Theorem we have 

5 n (^;a,6)= ^ 4j {ax{P) + bx{nP)) = ^ i{> (ax(P)) ^q. 
Pe£-(F q ) Pef(F 9 ) 



4.2 Sum with the elliptic curve power generator 

We now improve the results of (31 [9] on the distribution of the power generator 
on elliptic curves. Namely, given a point G G £(F g ) of order t, we fix an 
integer e with gcd(e, t) = 1, put W = G and consider the sequence 

W n = eW n . l) n=l,2,.... (17) 

In a more explicit form we have W n = e n G. Clearly, the sequence W n is 
periodic with period T which is the multiplicative order of e modulo t. 
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For a point G € £{F q ), a nonprincipal additive character ip of ¥ q and an 
integer N, we consider character sums 



N-l 



n=0 



with the sequence (fTTl) . 

For N = T the sum S(G,ip,T) is estimated in [14J, where it is shown 
that for any fixed positive integer v, we have 

S(G,4>,T) < r 1 -( 3l '+ 2 )/ 2 ^^+ 2 )^( I '+ 1 )/ I '( I '+ 2 )g 1 / 4 ( l '+2)_ 

In [9], using two different approaches the above result is extended to 
incomplete sums S(G, if), N) with N <T. One of the approaches has led to 

S(G,ip,N) < jv 1_(3 " +2)/2l/(l/+3 H (l/+1)/iy(l ' +3) g 1/4(iy+3) . (18) 

while the other one has yielded 

V, iV) < T l-(3-+2)/2,(,+2) t (,+l)/,(,+2) g l/4(, + 2) 1()g g _ (1Q) 

Notice that the bound (TTB~j) is stronger than ( TT^|) for short sums but for 
almost complete sums, the bound (IT5|) is stronger. 

Here using Lemma [2] and an inductive argument, we give a bound that 
improves both ( 118"]) and f|T9|) . 



Theorem 10. Zet £ be an ordinary elliptic curve defined over ¥ q and let 
N < T. Suppose that for some fixed e > we have t > q l / 2+£ . Then for any 
fixed integer v > 1 there exists C(v,e) > 1 depending only on v and e such 
that 

S(G, i/;, N) < C{v, £ )Ari-(3-+ 2 )/ 2 -(-+ 2 ) t (-+i)/K-+ 2 ) g i/4(.+2)( log? )i/(^2)_ 

Proof. Our proof is based on an induction. 

Notice that if N < q 1 ^ 2 , then since t > q l / 2+£ we have 

N l-(3u+2)/2u(u+2) t (u+l)/u(u+2) q l/A(u+2)(j ogq y/(u+2) > ^ 

and thus the claim holds trivially. 
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Now suppose that the claim is true for all k < N, and hence there exists 
C(u,e), which is to be determined later, depending only on v and e, so that 
for all k < N, we have 

S(G,1P, k) < C '(^ £ ) A; l-(3-+2)/2K-+2) t (,+l)/K-+2) g l/4(^2)Q 0gg) l/(, + 2)_ 

Let M. = {0, . . . , M — 1} where M < N. For every m G Ai, we have 

AT-1 

N) = ^2 i> {x{e n+m G)) + S{G, if), m) - S(H, ^, m), 

n=0 

where H = e N G, and hence 

M-l M-lN-l M-l M-l 

m=0 m=0 n=0 m=0 m=0 

Notice that our bounds hold for any point of order t, and thus using the fact 
that gcd(e, t) — 1 we can apply the induction hypothesis to the point H too. 
Hence by the induction hypothesis we have 

M\S(G ,i>,N)\ 



<W + 2MC'(z/,£)M 1 -^ +2 )/ 2 ^ +2 )^^ +1 )^^ +2 )g 1 / 4 ^ +2 )(logg) 1/( ^ 2 ^ 



where 



W 



M-l N-l 



m=0 n=0 



Applying Lemma [21 we get 

W < D(u, e)(M) 1 ' 1 ^ 2u (N) 1 ~ 1 ^ u+2 h^ +1 ^^ +2 \ 1 ^^ +2 \logq) 1 ^ u+2 ^ 

for some D(i>, e) depending only on v and e. From the two inequalities above, 
we have 

\S(G ,^,N)\ 

< D(z/,e)M" 1 / 2v iV 1 -V^ 2 )t^ +1 )/ , '( , ' +2 )g 1 /4(H-2) (logg) i/(H-2) 

+ 2C (v, e)M 1 ~ (3u+2)/2u{u+2 h (u+1)/u{u+2) q 1/i{u+2) (log q) l,{v+2) . 
We see that it suffices to take M = \N/2] and 

nl/21/ 



C(u,e) 



I _ 2(3^+2)/2i/(i/+2) 



D(v,e) 



to conclude the proof. 



□ 
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Notice that when t = which is the most interesting case, taking v 

to be a very large number shows that the bound in Theorem [TD] is stronger 
than the bound ([TBI whenever N > g 5 / 6+£ for some fixed e > 0. 

5 Comments 

Dvir [8] has considered the problem of constructing randomness extractors 
for algebraic varieties. In general terms the problem can be described as 
follows. Giving an algebraic variety V over ¥ q and one or several sources 
of random but not necessarily uniformly generated points on V, design an 
algorithm to generate long strings of random bits with a distribution that is 
close to uniform. The construction of [5] requires only one but rather uniform 
source of points on V. In the case when V = £, the result of Theorem [3] has 
a natural interpretation as a two-source extractor from two biased sources of 
points P and Q, respectively. Say, if q = p, then one can use most significant 
bits of x(PQ)Q) (in some standard representation of the residues modulo p). 
The exact number of output bits depends on the bias of the sources of points 
P and Q. 

We also remark that many of our results have direct analogues for sums 
with multiplicative characters. 
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